The IT Security Act

The most important thing in brief:

• The IT Security Act Is a German law that has minimum requirements for Securing critical infrastructures determines and the Compulsory strengthening of IT security in companies.
• Companies are required to report security incidents, carry out regular audits and implement state-of-the-art technical and organizational measures.
• One structured documentation and continuous review of the IT landscape are pivotalto meet legal requirements and reduce risks sustainably.

‍

What is the IT Security Act? — Definition and background

The IT Security Act — often referred to as “IT SiG”, “IT Security Act 1.0" or “BSI IT Security Act” — is a German law that sets minimum standards and obligations to secure critical IT infrastructures. Its first version came into force in 2015, followed by a comprehensive extension in 2021 with the IT Security Act 2.0.

The aim is a higher level of IT security in Germany, in particular through:

• Mandatory safety requirements for operators of critical infrastructures (KRITIS)
• Improved reporting requirements for security incidents
• Strengthening and expanding the powers of the Federal Office for Information Security (BSI)

Who does the IT Security Act apply to? — Scope

The Scope of the IT Security Act Is mainly based on operators of so-called critical infrastructure laid out. This includes industries such as:

• energy
• health
• Transport and traffic
• water
• sustenance
• Finance and insurance
• Information technology and telecommunications

The IT Security Act 2.0 extended the scope of application. It now includes additional companies, including so-called “Companies in the Special Public Interest (UBI)”.

These include, for example, companies that:

• have particular economic significance
• are part of the defense industry, or
• produce significant quantities of hazardous substances.

Why is the IT Security Act necessary?

In addition to the real threat situation, the IT Security Act BSI forces companies to raise their IT security measures to a professional level. The need can be understood from four perspectives:

1. Increasing cyber threats

Ransomware, phishing, zero-day exploits — attacks are rapidly evolving. Companies must adapt to avoid damage.

2. Statutory protection

The IT Security Act creates a clear legal basis for setting minimum standards and verifying compliance with them. This reduces risks for society and the economy.

3. Responsibility towards customers and partners

Regulations oblige companies to use IT infrastructures responsibly. Attacks on critical systems can have far-reaching social effects.

4. Specific obligations — examples

Among other things, companies must:

• implement technical and organizational measures in accordance with the “state of the art”,
• report security incidents immediately to the BSI,
• have regular checks and audits carried out,
• provide up-to-date documentation and evidence.

This last point in particular poses challenges for IT departments — in hectic everyday IT life, there is often no time for clean documentation, especially when it is done manually.

How do you implement the IT Security Act?

1. Inventory of the IT landscape

In order to identify risks, companies must first know which systems actually exist. This includes:

• network structures
• Servers and clients
• appliques
• permissions
• interfaces

For many companies, this is the first major hurdle. Without automated tools, the overview usually remains incomplete.

2. Analysis of the security situation

After systems have been identified, a prioritized evaluation follows:

• Where are there weak points?
• Which systems are particularly critical?
• Where are access regulations or current patches missing?

3. Documentation & verification

The IT-SiG (abbreviation for IT Security Act) and in particular the BSI expect up-to-date and comprehensible documentation, including:

• Network plans
• Authorization concepts
• responsibilities
• software versions
• security incidents

4. Regular review (“state of the art”)

This includes:

• Penetration testing
• audits
• Review of technical measures
• security updates

Practical challenges

IT departments face typical hurdles:

• lack of time: Documentation costs valuable working time.
• Non-transparent networks: Existing structures make overview and analysis difficult.
• Unclear responsibilities: Who is responsible for which area?
• Lack of timeliness: Documents quickly become obsolete if they are not maintained automatically.

Here is a possible scenario: A Monday morning in a medium-sized manufacturing company. The production line is at a standstill. The control station only shows error messages; the machines can no longer be controlled. It is only after extensive analysis that it becomes clear that an attack via an unpatched firewall has paralyzed large parts of the network. The economic damage is in the hundreds of thousands, and the reputation is significantly damaged. It later emerged that several legal requirements under the IT Security Act were not met — in particular, there was a lack of current documentation and security credentials.

Such scenarios are no longer an exception. The threat situation is constantly increasing, and at the same time, the legal requirements for companies are growing. A central component of these requirements is the IT Security Act (IT-SiG).

This is exactly where modern tools such as our software come in Docusnap on.

How Docusnap makes it easier to comply with the IT Security Act

For companies to meet legal requirements efficiently, transparency, automation and reliable timeliness are needed — three areas in which Docusnap shows its strengths.

1. Complete IT inventory — agentless and automated

Docusnap captured Automates servers, clients, network devices, software, and permissions. This forms the basis of every IT security audit.

2. Automated network plans & documentation

The IT-SiG requires comprehensible network and system documentation. Docusnap creates them automatically — including:

• network plans
• System overviews
• Active directory structures
• Authorization analyses

3. Transparent authorization structures

Especially in the context of KRITIS, it is critical to know who has access to what. Docusnap provides clear evaluations and visualizes risks.

4. Automatic updates — for proofs valid at any time

A major advantage: Docusnap automatically updates inventory data and documentation on a schedule. In this way, evidence always remains “state of the art” and auditable.

5. Support with audits and security reviews

With full reports, standardized structures and exportable documentation makes Docusnap easier internal and external audits significantly.

Best practices for implementing the IT Security Act

To ensure that implementation does not become a mammoth task, the following steps are recommended:

1. Start early

The earlier companies start, the easier it is to establish processes and documentation.

2. Define responsibilities

Clear roles ensure clean implementation.

3. Use automation

Automated tools reduce errors, save time, and keep documentation up to date.

4. Understand documentation as a continuous process

One-off documentation is not enough — regular updating is a must.

5. Store documents in a structured way

Speed is required in the event of an audit. Standardised structures make it easier to maintain records.

Conclusion: Seeing IT Security Act as an Opportunity

that IT Security Act obliges companies to bring their IT security to a new level. The requirements are extensive but necessary — in view of increasing cyber threats and increasing digital dependencies.

With a clear process, good preparation and supporting tools such as Docusnap However, the requirements can be met efficiently, comprehensibly and sustainably. Docusnap helps companies create transparency, automate documentation and keep evidence available in a structured way. This will make that IT Security Act Not to burden, but to chance, the To make IT operations safer and more resilient in the long term.